The most interesting ports right off the bat are 21(FTP) and 80(HTTP). I start with the website just to see what I’m dealing with and am presented with a login page:

I start up dirbuster and let that run in the background while I try tossing some basic default login creds at it without success. I also check out the page source, find flag number 1, and decode the base64 within it:

1

2

flag1{Q0lBIC0gT3BlcmF0aW9uIFRyZWFkc3RvbmU=}

CIA - Operation Treadstone

This is apparently a Bourne Trilogy reference, so I find a wiki about Operation Treadstone, and make a wordlist of it using cewl:

I use Burp Intruder to quickly run through the list, but still come up empty handed. The thing to notice here is that the error code is weird enough to be unique (Thanks friend.):

After plopping that into Google, I end up at this github page with what looks like the same thing being hosted on the VM. Lo and behold, the username/password combo of supplier/supplier allows me to log in:

I’m now presented with what looks like a marketplace screen where I can edit and add items, their pictures, prices, etc.:

I mess around with this for a little while and am able to bypass the picture upload restrictions, but according the the source code from the github found earlier, the files are still being renamed and there’s not much to be done about that. Going back to the dirbuster scan, it looks like there are some interesting results:

I navigate to each of the 302’d directories and find a SquirrelMail install and also find that as long as I’m logged in as supplier, I can access the user directory as well as the admin directory. I can even make changes to users as if I were the admin. No privilege separation! After poking around the edit user functionality for a while, I notice an interesting parameter get passed when editing a user:

The interesting parameter is “id=7” here. This id changes depending on the user, which means that I can probably edit the password for what I assume is the admin at user id=1. I change the id to 1 in the POST request:

Looks like the site was ok with the change, now to attempt to login:

It worked! I also obtained flag 4! Wait….what happened to flags 2 and 3? Decoding flag 4 gives the following:

1

2

flag4{bm90aGluZyBpcyBoZXJl}

nothing is here

Not too helpful. I poke around with the admin account for a bit, but it seems to have all the same access that supplier had. I guess the decoded output was right. Thinking back to the method I used to gain access to the admin account, I wondered if there was a potential SQL inject point in that parameter. With that in mind, I copied the post request into a text file and fired up SQLMap:

So at this point I’m a bit stuck. I couldn’t log into squirrelmail, there was a mention of an eworkshop site that I haven’t found, and I don’t know jbourne’s password. I step away for a bit and I remember flag 4 said something about email access, so I log in again. That’s when it hits me: “email access ?????” is literally telling me his password. So I try to log into squirrelmail using jbourne/?????:

I’m in! In the drafts folder I find a message:

So I’ve found flag 5 which decodes to:

1

2

Flag5{RXZlcnl0aGluZyBpcyBlbmNyeXB0ZWQ=}

Everything is encrypted

As well as some ciphertext. Studying the recurring patterns a bit, I’m pretty sure this is a substitution cipher. I toss it into a substitution solver I found on the internet and am presented with:

1

2

3

4

Hi Dimitri

If you are reading this I might be not alive. I have place a backdoor in Blackmarket

workshop under /kgbbackdoor folder you must have to use

PassPass.jpg in order to get access.

So another mention of workshop. Hmm, ok. I append kgbbackdoor to the big.txt list and let dirbuster chew on that for a while in the background. Nothing. I determine that there’s enough talk about eworkshops to generate a wordlist with crunch for it:

1

2

3

crunch99-t@workshop>>testlist.txt

crunch99-tworkshop@>>testlist.txt

crunch1010-t@workshop@>>testlist.txt

I append this new list to the big.txt list and try my luck with dirbuster again:

Success! I found the workshop site in the directory vworkshop, the backdoor directory, a backdoor, and the flag! What a haul! This is flag 6 and decodes to:

1

2

flag6{Um9vdCB0aW1l}

Root time

I navigate to the backdoor.php file and am presented with what appears to be a 404:

Checking out the page source, however, reveals that there is an incomplete login form here that only asks for a password. I try a few passwords with no luck. Based on the message I found in squirrelmail, I download the PassPass.jpg file:

running strings on the file shows some text appended to the end of the file:

1

Pass=5215565757312090656

I try passing this number to the form with no luck. It’s an odd number so I can’t convert it from hex to ASCII. I try a billion different things and am stumped. I end up reaching out to Ace Bomber to see what he has to say about it. While I waited on his reply, I decided to put together a list of names from the wiki from earlier and try my hand at the FTP server:

1

2

3

4

5

6

7

8

9

10

11

12

hydra -L users.txt pass.txt -e nsr ftp://192.168.10.138 -V -I -F

Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Oh hey! I got some valid creds! I check out the ftp server, and wouldn’t you know it, there’s a message with flag 2 in it:

1

2

3

flag2{Q29uZ3JhdHMgUHJvY2VlZCBGdXJ0aGVy}

If anyone reading this message it means you are on the right track however I do not have any idea about the CIA blackmarket Vehical workshop. You must find out and hack it!

Wow. That would have made finding the workshop a tad easier. Oh well! Flag 2 decodes to:

1

2

flag2{Q29uZ3JhdHMgUHJvY2VlZCBGdXJ0aGVy}

Congrats Proceed Further

Ace bomber has gotten back to me at this point and tells me to convert the number to its hex representation first. It suddenly clicks. I don’t know why I didn’t think to do that. The conversion path:

1

2

3

4

5

6

7

8

Decimal:

5215565757312090656

Hex:

4861696C4B474220

ASCII:

HailKGB

So the next step is to fix the form one last time:

Put the password in the hidden field, and click the submit button I added to the page:

Success! At this point I want shell. So I click the Network link, send myself a shell, and use python to make a nicer bash experience:

I poke around for a little while to see to see if there are any apparent priv esc opportunities here and nothing seems to be sticking out at me. I run uname -a and paste it into google. Try a few exploits, none of them seem to work out of the box. Then I give the trusty DirtyCOW exploit a shot: